Have you noticed the plethora of security breaches recently? A hacker
breaks into the United States Department of Agriculture systems, someone
steals a PC from a local YMCA but most troubling to me are the rash
of laptop thefts. Laptop thefts are not new. These portable and easily
concealed machines have been the target of thieves for years. What’s
troubling to me is the information stored on the laptops.
Overwhelmed with managing security compliance?
Obviously no one thinks their laptop is going to be stolen, but why
would anyone think it’s appropriate to download employees’ salary
and social security numbers and then take that information off of
company premises? To me, either the employees downloading this information
have too much authority and are allowed to download inappropriate
types of data or the organization’s policy is not restrictive enough
to allow for someone to take private data offsite on media that’s
easily stolen (“thumb drives” or “memory sticks” can be a similar
threat.)
The most appalling
story was the Ernst & Young auditor whose laptop was stolen
that contained the names and credit card information from users of
Hotels.com. E & Y claims that the credit card information was
part of the transactions being reviewed as part of the audit. Now
I can appreciate that one might have to review transactions as part
of an audit but I have a very difficult time believing that they need
credit card numbers. Here’s a case where private information was part
of a larger set of information. Rather than taking the time to give
them only the information required, the auditor was given all of the
information in the file.
No one wants their organization to be the next headline. To help
prevent this, you might want to work through the following questions:
• What policies or processes is your organization missing? • How is
your organization’s private or company confidential information protected?
• Does your organization’s security policy address the appropriate
use of data? • Do you have processes in place that prevent your auditors
from accessing and downloading private data?
Policy Minder Tip - Programs and Service Programs that Adopt Authority.
Adopted authority is a powerful tool that allows you to temporarily
give users authority to application resources, such as files. Many
vendors use this technique to provide a secure method to allow users
to access files while running the application but not access files
outside of the application (for example, from the command line or
using FTP.) Adopted authority is also used for utilities that allow
operators or help desk personnel to perform functions (for example,
resetting users’ passwords) without having to assign their profiles
the special authorities these functions require. While adopted authority
provides flexibility, it is also very powerful and potentially dangerous.
For that reason you want to regularly review programs that adopt authority
– especially programs and service programs that adopt powerful profiles
such as QSECOFR.
SkyView’s Policy Minder makes "enforcing" this process
easy. After initializing the Policy Minder settings, the *ALLOBJ template
in the Adopted authority category, lists all programs and service
programs that adopt a profile having *ALLOBJ special authority. You
will want to review this list for appropriateness. For example, you
will want to look for programs that allow the caller to circumvent
security. Examples of these programs include calls to the command
line API or that create a powerful profile that can be used surreptitiously.
Once reviewed, you take control by running a Policy Minder Compliance
Check on a regular basis. A compliance check of the Adopted authority
category will let you know if additional programs that adopt an *ALLOBJ
user have been created. You can also look for programs that adopt
other profiles, such as QPGMR. This is a great way to take control
of your system by finding out when third-party application providers
or developers create programs that adopt.
Want
to know more about SkyView Policy Minder? Join a webinar
Are you overwhelmed with the details of managing your security policy
compliance requirements? Let SkyView Policy Minder automate that process.
IBM thought enough of SkyView products to certify them as ‘Server
Proven” and as “i5/OS ready”.
Sincerely,
Carol Woodbury
SkyView Partners, Inc.
About the author
Carol Woodbury is co-founder of SkyView Partners, Inc., a firm specializing
in security compliance management and assessment software as well
as security services. Carol is the former chief security architect
for AS/400 for IBM in Rochester, Minnesota, and has specialized in
security architecture, design, and consulting for more than 15 years.
Carol speaks around the world on a variety of security topics and
is coauthor of the book Experts' Guide to OS/400 and i5/OS Security.
